bisecting fixing commit since fc16a5322ee6c30ea848818722eee5d352f8d127 building syzkaller on b44001ce341058eacf27ece52df7cf35ca8b2f5a testing commit fc16a5322ee6c30ea848818722eee5d352f8d127 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 969f906387249efd13ab02757c9c18a87a1c66f385a68b85976277e8e7d2d52d run #0: crashed: BUG: sleeping function called from invalid context in lock_sock_nested run #1: crashed: BUG: sleeping function called from invalid context in lock_sock_nested run #2: crashed: general protection fault in free_percpu run #3: crashed: BUG: unable to handle kernel paging request in get_counters run #4: crashed: BUG: unable to handle kernel paging request in dev_fetch_sw_netstats run #5: crashed: general protection fault in free_percpu run #6: crashed: general protection fault in free_percpu run #7: crashed: general protection fault in free_percpu run #8: crashed: general protection fault in free_percpu run #9: crashed: general protection fault in free_percpu run #10: crashed: general protection fault in free_percpu run #11: crashed: general protection fault in free_percpu run #12: crashed: general protection fault in free_percpu run #13: crashed: general protection fault in free_percpu run #14: crashed: general protection fault in free_percpu run #15: crashed: general protection fault in free_percpu run #16: crashed: general protection fault in free_percpu run #17: crashed: general protection fault in free_percpu run #18: crashed: general protection fault in free_percpu run #19: crashed: general protection fault in free_percpu testing current HEAD e2bcbd7769ee8f05e1b3d10848aace98973844e4 testing commit e2bcbd7769ee8f05e1b3d10848aace98973844e4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4431848da2e325acf0fa97dde1b50ca9adad6ef61b8700a7e8b194147b5e2685 all runs: OK # git bisect start e2bcbd7769ee8f05e1b3d10848aace98973844e4 fc16a5322ee6c30ea848818722eee5d352f8d127 Bisecting: 20386 revisions left to test after this (roughly 14 steps) [56d33754481fe0dc7436dc4ee4fbd44b3039361d] Merge tag 'drm-next-2021-11-03' of git://anongit.freedesktop.org/drm/drm testing commit 56d33754481fe0dc7436dc4ee4fbd44b3039361d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 41aeb0dbfcf228e61c90757dfdc6b7de219dc17723d7207e251e59b391422663 run #0: crashed: general protection fault in free_percpu run #1: crashed: general protection fault in free_percpu run #2: crashed: general protection fault in free_percpu run #3: crashed: general protection fault in free_percpu run #4: crashed: general protection fault in free_percpu run #5: crashed: general protection fault in free_percpu run #6: crashed: general protection fault in free_percpu run #7: crashed: general protection fault in free_percpu run #8: crashed: general protection fault in free_percpu run #9: crashed: BUG: unable to handle kernel paging request in get_counters # git bisect good 56d33754481fe0dc7436dc4ee4fbd44b3039361d Bisecting: 10197 revisions left to test after this (roughly 13 steps) [e2dfb94f27f778e18e47b0c7ff8679099981073d] Merge tag 'for-net-next-2021-12-29' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit e2dfb94f27f778e18e47b0c7ff8679099981073d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 74c81a55cb70282d33ecc8b9b57cb147dcfbfdad1339ea78dcbbd72bdfa71c1e all runs: OK # git bisect bad e2dfb94f27f778e18e47b0c7ff8679099981073d Bisecting: 5086 revisions left to test after this (roughly 12 steps) [dd72945c43d34bee496b847e021069dc31f7398f] Merge tag 'cxl-for-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl testing commit dd72945c43d34bee496b847e021069dc31f7398f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 88b56d5e80569b2e7a224dfabdbce791d9b4786086b3e9ac9efdfc8ab1c0ec6b all runs: crashed: general protection fault in free_percpu # git bisect good dd72945c43d34bee496b847e021069dc31f7398f Bisecting: 2565 revisions left to test after this (roughly 11 steps) [2b2c0f24bac75bfdf2de9f4ea0912946ce5bf5c8] Merge tag 'trace-v5.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 2b2c0f24bac75bfdf2de9f4ea0912946ce5bf5c8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bff888b3403853045a827fc0ad7598540f526e203f4315675e7c48cb55806779 run #0: crashed: general protection fault in cgroup_rstat_flush_locked run #1: crashed: general protection fault in free_percpu run #2: crashed: general protection fault in free_percpu run #3: crashed: general protection fault in free_percpu run #4: crashed: general protection fault in free_percpu run #5: crashed: general protection fault in free_percpu run #6: crashed: general protection fault in free_percpu run #7: crashed: general protection fault in free_percpu run #8: crashed: general protection fault in free_percpu run #9: crashed: general protection fault in free_percpu # git bisect good 2b2c0f24bac75bfdf2de9f4ea0912946ce5bf5c8 Bisecting: 1300 revisions left to test after this (roughly 10 steps) [db10415448158779127ad529335e2c447c5767c1] selftests: mptcp: remove duplicate include in mptcp_inq.c testing commit db10415448158779127ad529335e2c447c5767c1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b35d2fc5f243cff3ab40a7b300339a2005f5d01eb47bdf1270d27ae37dc472f8 run #0: crashed: general protection fault in free_percpu run #1: crashed: general protection fault in free_percpu run #2: crashed: BUG: unable to handle kernel paging request in ip6t_do_table run #3: crashed: general protection fault in free_percpu run #4: crashed: BUG: unable to handle kernel paging request in ip6t_do_table run #5: crashed: general protection fault in free_percpu run #6: crashed: general protection fault in free_percpu run #7: crashed: general protection fault in free_percpu run #8: crashed: general protection fault in free_percpu run #9: crashed: general protection fault in free_percpu # git bisect good db10415448158779127ad529335e2c447c5767c1 Bisecting: 588 revisions left to test after this (roughly 9 steps) [7cd2802d7496c1fc76f42dc045b48cc16d11df39] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 7cd2802d7496c1fc76f42dc045b48cc16d11df39 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 64588328ba8e87ae36022b0aa3ce957bbc823e0369172e1b4a0b958c9f8ca47a all runs: crashed: general protection fault in free_percpu # git bisect good 7cd2802d7496c1fc76f42dc045b48cc16d11df39 Bisecting: 292 revisions left to test after this (roughly 8 steps) [68b930ad46b6615a3ef3fb05ac229a7b17df6c9c] Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git testing commit 68b930ad46b6615a3ef3fb05ac229a7b17df6c9c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2727a10878e411c7ec6bc23e0d7884901a3c46121830b864b72dd257e63d6bc0 run #0: crashed: general protection fault in free_percpu run #1: crashed: BUG: unable to handle kernel paging request in get_counters run #2: crashed: general protection fault in free_percpu run #3: crashed: general protection fault in free_percpu run #4: crashed: general protection fault in free_percpu run #5: crashed: general protection fault in free_percpu run #6: crashed: general protection fault in free_percpu run #7: crashed: general protection fault in free_percpu run #8: crashed: general protection fault in free_percpu run #9: crashed: general protection fault in free_percpu # git bisect good 68b930ad46b6615a3ef3fb05ac229a7b17df6c9c Bisecting: 152 revisions left to test after this (roughly 7 steps) [f2b551fad8d8f2ac5e1f810ad595298381e0b0c5] Merge tag 'wireless-drivers-next-2021-12-23' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit f2b551fad8d8f2ac5e1f810ad595298381e0b0c5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7cf11a33052ab7f664f5ed53dc10c01b0b49d26cb0e6bfba1452925a0fbcc642 all runs: crashed: general protection fault in free_percpu # git bisect good f2b551fad8d8f2ac5e1f810ad595298381e0b0c5 Bisecting: 76 revisions left to test after this (roughly 6 steps) [6e19cf7d3815c009bfd213832a6feac4bafc37ae] i40e: switch to napi_build_skb() testing commit 6e19cf7d3815c009bfd213832a6feac4bafc37ae compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a18516501aec5087ff82de6edb8ce29afc1dfc744bcbd17b61731a8d5a8ea36a all runs: OK # git bisect bad 6e19cf7d3815c009bfd213832a6feac4bafc37ae Bisecting: 37 revisions left to test after this (roughly 5 steps) [bdf1b5c3884f6a0dc91b0dbdb8c3b7d205f449e0] sfc: Check null pointer of rx_queue->page_ring testing commit bdf1b5c3884f6a0dc91b0dbdb8c3b7d205f449e0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 08f1260170dc377e04ed685a0f26fb9206feefa72d9995ed4347aefe74502bb7 all runs: OK # git bisect bad bdf1b5c3884f6a0dc91b0dbdb8c3b7d205f449e0 Bisecting: 16 revisions left to test after this (roughly 4 steps) [aa3cc8a9e4001d50dd3e30b58257a9448b2b958b] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue testing commit aa3cc8a9e4001d50dd3e30b58257a9448b2b958b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 55c2d55b219898036cc189062b92e9cb4c892d1d14c9ea3bd71ee2172fa9c4a7 all runs: OK # git bisect bad aa3cc8a9e4001d50dd3e30b58257a9448b2b958b Bisecting: 10 revisions left to test after this (roughly 3 steps) [8bea15ab7485863d900982ee6a0ff6f78b339c77] ice: xsk: allow empty Rx descriptors on XSK ZC data path testing commit 8bea15ab7485863d900982ee6a0ff6f78b339c77 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 69a8297f67c4b814ec829feaed10bae4735e83cff74d987ae4a5dbc31bb277b7 run #0: crashed: BUG: unable to handle kernel paging request in ip6t_do_table run #1: crashed: general protection fault in free_percpu run #2: crashed: general protection fault in free_percpu run #3: crashed: general protection fault in free_percpu run #4: crashed: BUG: unable to handle kernel paging request in ip6t_do_table run #5: crashed: general protection fault in free_percpu run #6: crashed: general protection fault in free_percpu run #7: crashed: general protection fault in free_percpu run #8: crashed: general protection fault in free_percpu run #9: crashed: general protection fault in free_percpu # git bisect good 8bea15ab7485863d900982ee6a0ff6f78b339c77 Bisecting: 5 revisions left to test after this (roughly 3 steps) [1488fc204568f707fe2a42a913788c00a95af30e] net: lantiq_xrx200: increase buffer reservation testing commit 1488fc204568f707fe2a42a913788c00a95af30e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ca80b95b45759dd3527254186941f714d6f4cbd7baaed378b8014ed1ef9d2a30 all runs: crashed: general protection fault in free_percpu # git bisect good 1488fc204568f707fe2a42a913788c00a95af30e Bisecting: 2 revisions left to test after this (roughly 2 steps) [2efc2256febf214e7b2bdaa21fe6c3c3146acdcb] net: marvell: prestera: fix incorrect structure access testing commit 2efc2256febf214e7b2bdaa21fe6c3c3146acdcb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b87dd33586580018901a4f377f90be1a444e97b139742821602208e1d7c58b81 run #0: crashed: general protection fault in free_percpu run #1: crashed: general protection fault in free_percpu run #2: crashed: BUG: unable to handle kernel paging request in get_counters run #3: crashed: general protection fault in free_percpu run #4: crashed: general protection fault in free_percpu run #5: crashed: general protection fault in free_percpu run #6: crashed: BUG: unable to handle kernel paging request in get_counters run #7: crashed: general protection fault in free_percpu run #8: crashed: general protection fault in free_percpu run #9: crashed: general protection fault in free_percpu # git bisect good 2efc2256febf214e7b2bdaa21fe6c3c3146acdcb Bisecting: 1 revision left to test after this (roughly 1 step) [dcbaf72aa4232a7aa5db5e483972a6fe4ba2b41c] ice: xsk: fix cleaned_count setting testing commit dcbaf72aa4232a7aa5db5e483972a6fe4ba2b41c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 69a8297f67c4b814ec829feaed10bae4735e83cff74d987ae4a5dbc31bb277b7 run #0: crashed: general protection fault in free_percpu run #1: crashed: general protection fault in free_percpu run #2: crashed: general protection fault in free_percpu run #3: crashed: general protection fault in free_percpu run #4: crashed: general protection fault in free_percpu run #5: crashed: BUG: unable to handle kernel paging request in ip6t_do_table run #6: crashed: BUG: unable to handle kernel paging request in dev_fetch_sw_netstats run #7: crashed: general protection fault in free_percpu run #8: crashed: general protection fault in free_percpu run #9: crashed: general protection fault in free_percpu # git bisect good dcbaf72aa4232a7aa5db5e483972a6fe4ba2b41c Bisecting: 0 revisions left to test after this (roughly 0 steps) [158b515f703e75e7d68289bf4d98c664e1d632df] tun: avoid double free in tun_free_netdev testing commit 158b515f703e75e7d68289bf4d98c664e1d632df compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 55c2d55b219898036cc189062b92e9cb4c892d1d14c9ea3bd71ee2172fa9c4a7 all runs: OK # git bisect bad 158b515f703e75e7d68289bf4d98c664e1d632df 158b515f703e75e7d68289bf4d98c664e1d632df is the first bad commit commit 158b515f703e75e7d68289bf4d98c664e1d632df Author: George Kennedy Date: Thu Dec 16 13:25:32 2021 -0500 tun: avoid double free in tun_free_netdev Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if there's an error in register_netdevice() the destructor will handle the frees. BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 ____kasan_slab_free mm/kasan/common.c:346 [inline] __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-by: syzkaller Signed-off-by: George Kennedy Suggested-by: Jakub Kicinski Link: https://lore.kernel.org/r/1639679132-19884-1-git-send-email-george.kennedy@oracle.com Signed-off-by: Jakub Kicinski drivers/net/tun.c | 115 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 59 insertions(+), 56 deletions(-) culprit signature: 55c2d55b219898036cc189062b92e9cb4c892d1d14c9ea3bd71ee2172fa9c4a7 parent signature: b87dd33586580018901a4f377f90be1a444e97b139742821602208e1d7c58b81 revisions tested: 18, total time: 4h1m15.393627628s (build: 1h57m48.616759762s, test: 2h1m25.536790253s) first good commit: 158b515f703e75e7d68289bf4d98c664e1d632df tun: avoid double free in tun_free_netdev recipients (to): ["davem@davemloft.net" "george.kennedy@oracle.com" "kuba@kernel.org" "kuba@kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"]